[Snort-users] NIDS on large (>500MB) pcap dumps

Balasubramaniam Natarajan bala150985 at ...11827...
Fri Dec 14 08:02:58 EST 2012


On Thu, Dec 13, 2012 at 4:14 PM, Steve Marotta <smarotta at ...16014...> wrote:

>
> Is there a way to run Snort in NIDS mode on large (>500MB) pcap dumps?
> When I try to run snort -dev -l (mylog) -r (myfile) -c /etc/snort.conf, I
> get, "Value too large for defined data type" and "ERROR: Error getting
> pcaps".
>
> Is this because the file I'm reading is too large? If so, is there a
> workaround?
>
>
>
>
You have to recompile snort with the following options.  Tell us how it
goes.

snort-2.9.4# ./configure --help | grep "2 GB"
  --enable-large-pcap      Enable support for pcaps larger than 2 GB




-- 
Regards,
Balasubramaniam Natarajan
www.blog.etutorshop.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121214/9004ed9a/attachment.html>


More information about the Snort-users mailing list